| Author |
Message |
|
| Guest |
 Posted: Mon Sep 18, 2006 10:18 am |
 |
|
|
Guest
|
Hello all,
I've been testing ejabberd 1.1.1 ( The precompiled generic GNU/Linux version from the website ) on SUSE 10.0.
It all works great and it's proven to be a lot better in terms of features and reliability than the OS X Jabber server it's going
to replace.
My only last issue is that the LDAP authentication module keeps timing
out and rejecting user logon requests. When I restart the server and do
some testing LDAP (Active Directory users) can logon fine.
If I leave it for an hour or so the logon attempts fail.
In my ejabberd.log file I get...
****
=ERROR REPORT==== 2006-09-17 21:56:03 ===
** State machine <0.10535.0> terminating
** Last event in was {xmlstreamelement,
{xmlelement,"auth",
[{"xmlns",
"urn:ietf:params:xml:ns:xmpp-sasl"},
{"mechanism","PLAIN"}],
[{xmlcdata,
<<65,71,78,116,100,71,70,107,98,87,108,117,65,70,78,48,89,88,74,112,98,109,99,103,89,88,81,103,100,71,104,108,73,72,78,108,89,88,77,117>>}]}}
** When State == wait_for_feature_request
** Data == {state,{sslsocket,6,<0.10534.0>},
<0.10536.0>,
ssl,
"3696948738",
{sasl_state,"jabber",
"talk.group-united.com",
[],
#Fun<ejabberd_c2s.1.114093548>,
#Fun<ejabberd_c2s.2.66069937>,
undefined,
undefined},
c2s,
none,
false,
false,
false,
false,
[{certfile,"/opt/ejabberd-1.1.1/conf/server.pem"}],
false,
undefined,
[],
"talk.group-united.com",
[],
undefined,
{0,nil},
{0,nil},
{0,nil},
{0,nil},
undefined,
undefined,
undefined,
false,
none,
[]}
** Reason for termination =
** {timeout,{gen_fsm,sync_send_event,
['eldap_ejabberd_talk.group-united.com',
{search,{eldap_search,
wholeSubtree,
"dc=global,dc=network",
{equalityMatch,
{'AttributeValueAssertion',
"sAMAccountName",
"cmtadmin"}},
[],
false,
0}}]}}
lon0smtp01:/opt/ejabberd-1.1.1/logs #
*****
The LDAP server is an Active Directory LDAP server running on Windows
2003. There is a Cisco PIX firewall between the Jabber server and the
LDAP server.
Is LDAP timeouts a common problem with this module.
Thanks
~sm
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Mon Sep 18, 2006 10:28 am |
|
|
|
Guest
|
|
| Back to top |
|
| Guest |
| Posted: Mon Sep 18, 2006 10:35 am |
|
|
|
Guest
|
On Mon, 2006-09-18 at 11:30 +0100, Evgeniy Khramtsov wrote:
> Simon Morris пишет:
>
> >Is LDAP timeouts a common problem with this module.
> >
> No. I think this is a problem with your PIX. Seems like PIX drops
> inactive connections after a while.
Do we know if the code attempts to keep the TCP connection open though?
Or does the ejabberd open a new TCP session for each authentication
requires. Just wondering.
Thanks for your reply.
~sm
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Mon Sep 18, 2006 4:01 pm |
|
|
|
Guest
|
On Mon, 2006-09-18 at 11:35 +0100, Simon Morris wrote:
> Do we know if the code attempts to keep the TCP connection open
> though?
>
>
> Or does the ejabberd open a new TCP session for each authentication
> requires. Just wondering.
I went to lurk in the ejabberd conference room and was told that the TCP
session stays open...
(11:45:45) zenith: sm: it is very unprofitable to do ldap-connection per
request
(11:46:24) zenith: sm: but some kind of ping may help, but dunno how to
implement it right
Thanks for that zenith...
The firewall engineer tells me that the translation table on the PIX has
a timeout of about 1 hour which makes sense. This is about the time it
takes for the auth_ldap module to start to fail.
He cannot increase the timeout as it will affect the memory usage on the
firewall.
Is there a solution? I cannot bring the LDAP server into the DMZ where
the Jabber server sits and I must have LDAP integration.
Thanks
~sm
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Tue Sep 19, 2006 2:10 am |
|
|
|
Guest
|
Simon Morris wrote:
>The firewall engineer tells me that the translation table on the PIX has
>a timeout of about 1 hour which makes sense. This is about the time it
>takes for the auth_ldap module to start to fail.
>
>He cannot increase the timeout as it will affect the memory usage on the
>firewall.
>
>Is there a solution? I cannot bring the LDAP server into the DMZ where
>the Jabber server sits and I must have LDAP integration.
>
I did some research and found some information about the time of
keepalive packets.
For linux:
http://libkeepalive.sourceforge.net/docs/TCP-Keepalive-HOWTO
For Windows NT-like:
http://www.winguides.com/registry/display.php/891/
As you can see, keepalive function is OS dependent and you can configure
it manually.
Also, I'd like to notice that in Linux and Windows default value is 2
hours, so I think this
is not a good idea to set this option less the 2 hours on the PIX.
Please show this links
to you firewall engineer.
Unfortunately, ejabberd doesn't open LDAP connections in keepalive mode.
But you can simple change this though. Apply the patch:
--- ejabberd.orig/src/eldap/eldap.erl 2006-09-15 08:26:53.000000000 +1000
+++ ejabberd/src/eldap/eldap.erl 2006-09-19 12:05:33.000000000 +1000
@@ -808,7 +808,7 @@
%%-----------------------------------------------------------------------
connect_bind(S) ->
Host = next_host(S#eldap.host, S#eldap.hosts),
- TcpOpts = [{packet, asn1}, {active, true}, binary],
+ TcpOpts = [{packet, asn1}, {active, true}, {keepalive, true}, binary],
case gen_tcp:connect(Host, S#eldap.port, TcpOpts) of
{ok, Socket} ->
case bind_request(Socket, S) of
And recompile ejabberd.
Regards.
_______________________________________________
ejabberd mailing list
ejabberd@jabber.ru
http://lists.jabber.ru/mailman/listinfo/ejabberd
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Tue Sep 19, 2006 1:02 pm |
|
|
|
Guest
|
On Tue, 2006-09-19 at 03:09 +0100, Evgeniy Khramtsov wrote:
> Unfortunately, ejabberd doesn't open LDAP connections in keepalive
> mode.
> But you can simple change this though. Apply the patch:
> --- ejabberd.orig/src/eldap/eldap.erl 2006-09-15 08:26:53.000000000
> +1000
> +++ ejabberd/src/eldap/eldap.erl 2006-09-19 12:05:33.000000000
> +1000
> @@ -808,7 +808,7 @@
> %
> %-----------------------------------------------------------------------
> connect_bind(S) ->
> Host = next_host(S#eldap.host, S#eldap.hosts),
> - TcpOpts = [{packet, asn1}, {active, true}, binary],
> + TcpOpts = [{packet, asn1}, {active, true}, {keepalive, true},
> binary],
> case gen_tcp:connect(Host, S#eldap.port, TcpOpts) of
> {ok, Socket} ->
> case bind_request(Socket, S) of
>
> And recompile ejabberd.
Thank you.
I've applied the patch and rebuilt ejabberd (this time on Debian using
dpkg-build)
Would you intend this patch to go into the main release of ejabberd for
future versions or do I need to patch it when I upgrade?
I will let the list know how I get on with the patched version
Thanks
~sm
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Tue Sep 19, 2006 1:39 pm |
|
|
|
Guest
|
|
| Back to top |
|
| cheung |
| Posted: Tue Feb 21, 2012 3:27 am |
|
|
|
Guest
|
| Gingrich made his remarks at a rally in the congressional district Nike Air Max 2012 he represented for 20 years, speaking to a few hundred supporters. Nike Air Max LTD 2 He planned several campaign stops across Air Max Georgia on Saturday Nike Air Max 1 with Herman Cain, a fellow Georgian and former contender for the GOP nomination who has since endorsed Gingrich.CNN Cheap Air Max was forced to cancel the debate, scheduled to take place in Atlanta on March 1, after Mitt Romney declined to participate. Nike Air Max 95 Rick Santorum quickly followed suit.The cancellation was a blow to Gingrich, who is banking on a strong showing on Super Tuesday, March 6, in Air Max 95 Cheap Georgia, Ohio and eight other states holding contests that day."The average Georgian is going to say, the average Nike Air Max 90 Ohioan is going to say, `Let me get this straight. They won't come here to debate Nike Air Max but they want my vote?"' Gingrich said, adding, "Anybody who's Nike Air Max Classic BW afraid of debating Newt Gingrich isn't going to be in very good shape to debate Barack Obama."Gingrich, whose sole win Asics Tiger came in South Carolina's Asics Mexico 66 primary Jan. 21, conceded winning Georgia was "crucial" Asics Kaufen to sustaining his presidential bid. His candidacy has struggled since Romney soundly beat him in Florida Jan. 31 and Santorum won contests in Colorado, Minnesota and Missouri on Feb. 7. “You have an opportunity to speak loudly,” Santorum said at an appearance in Mason, Ohio. Asics Onitsuka Tiger“Give a clear contrast between the two leaders who want to lead this country. Give Asics Turnschuhe America a clear choice.” Though Romney was born and raised in Michigan, his wealthy upbringing and work as a private-equity executive has made it hard for him to connect with working-class voters.The event was sponsored by the Günstige Onitsuka Tiger Sneakers Michigan Faith and Freedom Coalition, three Macomb County tea party groups and the county Republican Party. Asics Mexico 66 günstig The rally was punctuated by gospel singing and speeches Asics Tiger Mexico 66 by ministers. |
|
|
| Back to top |
|
|
|
All times are GMT
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
|
|
Digg It
Del.icio.us
Reddit
Facebook
Stumble Upon
Technorati
